Assessment of Internal Control over Financial Reporting for the fiscal year ended March 31, 2011
This document is attached to the Statement of Management Responsibility Including Internal Control over Financial Reporting (ICFR) for the fiscal-year 2010-2011. As required by the new Treasury Board Policy on Internal Control, effective April 1st 2009, this document provides summary information on the measures taken by the Public Service Commission (PSC) to maintain an effective ICFR. In particular, it provides summary information on the assessments conducted by the PSC as at March 31, 2011, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the PSC.
1.1 Authority, mandate and program activities
1.2 Financial highlights
- Total expenses were $133M. Salaries and employee benefits comprise the majority (74% or $98M);
- Staffing and Assessment Services and Oversight of Integrity in Staffing and Political neutrality are the largest programs at $48M and $26M, respectively;
- A planned $4.9M was carried forward to manage financial challenges and funding pressures in 2010-2011;
- Revenues in the amount of $12M were generated by the sale of assessment and evaluation products and services. The PSC has vote netting authority which allows it to offset expenses with revenues earned up to an amount approved by Treasury Board ($14M in 2010-2011); and
- Tangible capital assets comprise 73% of organizational total assets of $20.6M. Employee severance benefits comprise 66% of total liabilities of $26M.
1.3 Service arrangements relevant to financial statements
The PSC relies on other organizations for the processing of certain transactions that are recorded in its financial statements:
- Public Works and Government Service Canada (PWGSC) centrally administers the payments of salaries and the procurement of goods and services. As well, the Treasury Board of Canada Secretariat (TBS) provides the PSC with information used to calculate various accruals and allowances, such as the accrued severance liability; and
- The PSC relies on figures from other departments for services received without charge such as legal services from the Department of Justice, accommodation from PWGSC, audit services from the Office of the Auditor General, employer’s portion of Workers’ Compensation benefits from Human Resources and Skills Development Canada and the employer’s share of insurance premiums from TBS.
1.4 Material changes in fiscal-year 2010-2011
There were no significant changes to the financial statements in 2010-2011.
2. The Public Service Commissions’s control environment relevant to Internal Control over Financial Reporting
The PSC recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their role in maintaining effective systems of ICFR. The PSC’s focus is to ensure risks are managed well through a proactive, responsive risk-based control environment that enables continuous improvement and innovation.
2.1 Key positions, roles and responsibilities
Below are the PSC’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.
President (deputy head) – The PSC’s President, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the President chairs the Internal Audit Committee and the Commission.
Chief Financial Officer (CFO) – The PSC’s CFO reports directly to the President and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. Falling under the CFO responsibilities is also the management of the Corporate Risk Profile of the PSC.
Senior PSC Executives – The PSC’s Vice-Presidents in charge of program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their mandate.
Chief Audit Executive (CAE) – The PSC’s CAE reports directly to the deputy head and provides assurance through periodic internal audits which are instrumental to the maintenance of an effective system of ICFR.
Internal Audit Committee (IAC) - The IAC is an advisory committee that provides objective views on the PSC’s risk management, control and governance frameworks. It is comprised of three external members and was established in 2006. As such, it reviews the PSC’s Corporate Risk Profile and provides feedback on the PSC’s system of ICFR.
Executive Management Committee (EMC) – As the PSC’s central decision-making body, the EMC reviews, approves and monitors the Corporate Risk Profile and the system of internal control, including the assessment and action plans relating to ICFR.
Corporate Management Practices & Evaluation Division (CMPED) – CMPED conducts evaluations of major program delivery units to measure and report on efficiency and effectiveness of operations.
Financial Management Division (FMD) – As the PSC’s resource management and allocation unit, FMD has an important budget challenge and oversight function.
Accounting Operations Division (AOD) – AOD is responsible for the design, documentation and initial testing of the PSC’s system of ICFR.
2.2 Key measures taken by the Public Service Commission
The PSC's control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools and developing skills. Key measures include:
- An Office of Values and Ethics including an Ombudsman;
- A dedicated division under the CFO on internal controls;
- Annual performance agreements which clearly set out financial management responsibilities;
- Training programs and communications in core areas of financial management;
- Organizational policies tailored to the PSC’s control environment;
- Regularly updated delegated authorities matrix;
- Documentation of main business processes and related key risk and control points to support the management and oversight of its system of ICFR; and
- IT processing systems to achieve greater security, integrity, efficiency and effectiveness.
2.3 Innovation in Internal Control over Financial Reporting
The PSC took a leadership approach to implementation of the Policy on Internal Control by implementing an integrated ICFR software program and sharing the results of this initiative with 25 departments and agencies, to date. For implementing this software, the PSC received the Award of Excellence for Comptrollership in the Public Sector from the Certified Management Accountants of Canada and the Chartered Institute of Public Finance and Accountancy.
3. Assessment of the Public Service Commission's system of Internal Control over Financial Reporting
3.1 Assessment baseline
In 2005, the PSC began preparing audited financial statements. To support this initiative and enable control-based audits rather than substantive audits, the PSC undertook a program of documentation of business processes, information flows and internal controls. In 2009, Treasury Board approved the Policy on Internal Control. As a result, the PSC has further formalized its approach to managing its systems of ICFR.
Whether it is to support the control-based audit requirements or those of the Policy on Internal Control, an effective system of ICFR has the objectives to provide reasonable assurance that:
- Transactions are appropriately authorized;
- Financial records are properly maintained;
- Assets are safeguarded; and
- Compliance with applicable laws, regulations and policies.
Over time, this includes assessment of design and operating effectiveness of the system of ICFR, leading to ensuring the ongoing monitoring and continuous improvement of the PSC’s system of ICFR.
Design effectivenessmeans to ensure that key control points are identified, documented, in place and that they are aligned with the risks (i.e., controls are balanced with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location, as applicable.
Operating effectiveness means that the application of key controls has been tested over a defined period and that any required remediation is addressed.
Such testing covers all control levels which include entity, general computer and business process controls.
3.2 Assessment methods at the Public Service Commission
Due to the relatively small size of the PSC, the nature of its business and risks and building on business cycle/internal control documentation already completed for audited financial statements, the PSC was able to review the five major business cycles driving the financial statement accounts:
- Revenues from sales of assessment and evaluation services;
- Capital assets; and
- Financial reporting.
For each cycle, PSC completed the following steps:
- Gathered information pertaining to processes and locations, risks and controls relevant to ICFR, including appropriate policies and procedures;
- Mapped out key processes with the identification and documentation of key risk and control points on the basis of materiality, volumes, linkage to compliance documents, complexity and susceptibility to losses/frauds;
- Additional work was done during 2010-2011 to document the PSC payroll cycle, including information system interdependencies; and
- Designed and operated effectiveness testing.
Finally, the PSC took into account new information available from recent audits.
4.The Public Service Commission's assessment results
Based on the approach described above, the PSC developed baseline architecture of all key control points by accounts, locations, processes and main financial systems.
Controls assessed as having one or more of the following attributes were considered in-scope for testing:
- Key controls;
- Driven by the Financial Administration Act; and
In assessing its key controls, PSC also addressed the question of design effectiveness. Throughout the documentation process, additional controls were identified, as were superfluous controls. Necessary changes have been identified and have either been implemented, or are scheduled for further review and implementation in 2011-2012.
The figures below show a progression from identification of the PSC’s in-scope accounts to the results of testing and, finally, to a breakdown of the types of deficiencies identified for action. Details are provided in Sections 4.1, 4.2 and 4.3.
4.1 Design effectiveness of key controls
When completing design effectiveness testing, the PSC completed all documentation and verified whether the corporate, general computer and business process controls are in place and correspond to actual practices. Design effectiveness also included ensuring appropriate alignment of each key control with risks.
As a result of these assessments, the PSC identified the following recommended improvements:
Task segregation and approvals
- One of the functional classes of the financial system required adjustment to ensure proper access segregation, including the receipt of cheques and the associated recording in the PSC’s financial system. This issue was remediated by excluding the access to the revenues module; and
- Improved verification before approving Section 33 for bulk supplementary pay transaction processing. A post-sampling tool provides flexible verification before and after approving Section 33.
4.2 Documentation effectiveness of key controls
- Further clarification of supporting documentation and procedures for revenue transactions, especially within the PSC’s regional revenue-generating centres;
- Better understanding of the role played by the PeopleSoft/Pay Interface in the payroll cycle;
- Further consolidation and documentation of desktop accounting procedures; and
- Better communication between Administration Division and IT services for recording, identification and tracking of capital assets.
4.3 Operating effectiveness of key controls
In 2010-2011 the PSC assessed the operating effectiveness of its key controls.
The following deficiencies and areas for improvement were identified:
- Custodians of some capital assets are not able to determine the asset’s location and not all high-value assets (primarily IT-related equipment) is properly bar-coded and tracked in the PSC’s inventory system;
- Lack of management for additional review of large disbursements;
- Inspection of Section 32 (funds commitment) revealed one case where the Section 32 was made after the fact; and
- Within Staffing and Assessment Services Branch’s revenue activities, with regard to Test Services and Integrated Services Division, there is no formal procedure to reconcile billing requests versus what was actually billed. Some progress has been made but controls were implemented after March 31, 2011.
- Implementation of a monthly task to ensure the application of management review of significant disbursements over $100K; and survey the commitments with a negative balance in order to substantiate financial discipline.
Overall, no particular process demonstrated major deficiencies or an excessive number of minor deficiencies. Remediation requirements to date have been documented. These deficiencies and areas of improvement are slated for action by December 2011. When completing operating effectiveness testing, the PSC ensured that the key controls were operating effectively over the full fiscal period.
5. The Public Service Commission's action plan
5.1 Progress as of March 31, 2011
During 2010-2011 the PSC continued to make significant progress in assessing and improving its key controls. Below is a summary of the main progress made by PSC.
The Public Service Commission has completed work to address the following issues:
- Completed in-depth formal flowcharting of the payroll business processes; and
- Undertook a full review of all fully-amortized assets within the capital asset inventory to identify stale, non-operational assets resulting in the removal of $1.7M in assets from the PSC balance sheet (audited by Office of the Auditor General).
The Public Service Commission has advanced work to address the following necessary adjustments:
- Standardize and streamline the vote netting revenue cycle (sale of assessment services). A midterm testing of internal controls revealed some important issues concerning the Test Inventory Control System and the back-up documentation for test services billing. The situation was addressed by verifying 100% of invoices sent for billing. We do, however, recommend that more emphasis be placed on improving the controls in the business process before the billing stage, the result of which will be increased assurance and less verification.
Action plan for the next fiscal year and future years
By the end of 2011-2012, the Public Service Commission plans to:
- Continue work on incorporating new payroll cycle processes and systems into the ICFR framework, including the implementation of PeopleSoft/Pay Interface with the Regional Pay System and any in-year process changes;
- Continue work on standardization and streamlining of the revenue cycle, including formalizing documentation requirements to make the revenue cycle more auditable;
- Financial statement account scoping to identify sub-processes requiring additional emphasis; and
- Continue the roll-out of an improved Revenue Management System (RMS 1.0) to further streamline the revenue process and strengthen internal control. This includes integrating more of the PSC’s satellite systems directly into RMS to reduce manual intervention and the risk of errors from multiple data entry points.
By the end of 2012-2013, the Public Service Commission plans to:
- Implement a system of formal attestation within the PSC’s branches with a final roll-up at the Vice-President level.
- Date modified: